CTF Challange

figures/ctf.png
echo "10.10.11.201    bagel.htb" >> /etc/hosts

Reconnaissance

  • Scanning Open ports using Nmap
8000/tcp open  http-alt syn-ack Werkzeug/2.2.2 Python/3.10.9
Date: Sat, 11 Mar 2023 17:22:00 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 263
|     Location: http://bagel.htb:8000/?page=index.html
|     Connection: close
|     <!doctype html>
|     <html lang=en>
|     <title>Redirecting...</title>
|     <h1>Redirecting...</h1>
  • Must be running on Docker

Enumeration

figures/site.png
  • ?page=index.html at the end, Thats Ring a bell

Checking for LFI vuln

  • If LFI, We can possibly get any file,
http://bagel.htb:8000/?page=<file>
  • Getting /etc/passwd file
figures/lfi_test.png

Enumerating the vuln

  • Getting current process via LFI
  • /proc/self/cmdline → contains current process
figures/cmdline.png
  • Getting Python script
figures/flask.png

contd..

@app.route('/orders')
def order():
# don't forget to run the order app first with "dotnet <path to .dll>" command.
# Use your ssh key to access the machine.
    try:
        ws = websocket.WebSocket()
        ws.connect("ws://127.0.0.1:5000/") # connect to order app
        order = {"ReadOrder":"orders.txt"}
        data = str(json.dumps(order))
        ws.send(data)
        result = ws.recv()
        return(json.loads(result)['ReadOrder'])
    except:
        return("Unable to connect")

Listing all process

figures/process.png
figures/dotnet-process.png

procfs

  • Contains special files.
  • Current State of Kernel

/proc/cmdline

Kernel Parameters

/proc/version

Kernerl version and details

/proc/uptime

Machine/Kernel uptime

figures/proc.png